AWS singlesignon documentation change
Summary
Added detailed KMS key policy documentation for customer-initiated AWS Control Tower operations and reordered condition keys
Security assessment
Enhances documentation about secure KMS key configuration patterns for access control. While improves security documentation quality, doesn't address specific vulnerabilities.
Diff
diff --git a/singlesignon/latest/userguide/baseline-KMS-key-policy.md b/singlesignon/latest/userguide/baseline-KMS-key-policy.md index de027f88e..46fc0da9e 100644 --- a//singlesignon/latest/userguide/baseline-KMS-key-policy.md +++ b//singlesignon/latest/userguide/baseline-KMS-key-policy.md @@ -69,2 +69,2 @@ KMS key policy statements - "kms:EncryptionContext:aws:sso:instance-arn": "*", - "kms:ViaService": "sso.*.amazonaws.com" + "kms:ViaService": "sso.*.amazonaws.com", + "kms:EncryptionContext:aws:sso:instance-arn": "*" @@ -97,2 +97,2 @@ KMS key policy statements - "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*", - "kms:ViaService": "identitystore.*.amazonaws.com" + "kms:ViaService": "identitystore.*.amazonaws.com", + "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" @@ -360 +360 @@ KMS key policy statement: - "AWS": "arn:aws:iam::111122223333:role/AWSControlTowerExecution" + "AWS": "arn:aws:iam::111122223333:role/AWSControlTowerAdmin" @@ -366,2 +366,2 @@ KMS key policy statement: - "kms:EncryptionContext:aws:sso:instance-arn": "*", - "kms:ViaService": "sso.*.amazonaws.com" + "kms:ViaService": "sso.*.amazonaws.com", + "kms:EncryptionContext:aws:sso:instance-arn": "*" @@ -375 +375 @@ KMS key policy statement: - "AWS": "arn:aws:iam::111122223333:role/AWSControlTowerExecution" + "AWS": "arn:aws:iam::111122223333:role/AWSControlTowerAdmin" @@ -390,0 +391,45 @@ AWS Control Tower does not support delegated administration and, therefore, you +###### Important + +The preceding policy statement covers AWS Control Tower service-managed operations, such as automatic enrollment of accounts, where AWS Control Tower assumes the `AWSControlTowerAdmin` role. However, for customer-initiated operations such as provisioning accounts through Account Factory or calling AWS Control Tower APIs directly, AWS Control Tower uses [forward access sessions (FAS)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) and operates under the customer's own IAM role. This means the IAM role you use to initiate these operations also needs `kms:Decrypt` permissions on the customer managed KMS key. + +Add the following KMS key policy statements alongside the `AWSControlTowerAdmin` statements above. Replace `MyControlTowerRole` with the ARN of the IAM role you use to interact with AWS Control Tower, such as an IAM Identity Center permission set role (for example, `AWSReservedSSO_`PermissionSetName`_*`), a custom IAM role for automation, or any other role used to call AWS Control Tower or AWS Service Catalog APIs. + +KMS key policy statement for customer-initiated AWS Control Tower operations: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowCustomerRoleToUseTheKMSKeyViaIdentityCenterForControlTower", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/MyControlTowerRole" + }, + "Action": "kms:Decrypt", + "Resource": "*", + "Condition": { + "StringLike": { + "kms:ViaService": "sso.*.amazonaws.com", + "kms:EncryptionContext:aws:sso:instance-arn": "*" + } + } + }, + { + "Sid": "AllowCustomerRoleToUseTheKMSKeyViaIdentityStoreForControlTower", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/MyControlTowerRole" + }, + "Action": "kms:Decrypt", + "Resource": "*", + "Condition": { + "StringLike": { + "kms:ViaService": "identitystore.*.amazonaws.com", + "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" + } + } + } + ] + } + @@ -418,2 +463,3 @@ KMS key policy statement - "kms:EncryptionContext:aws:sso:instance-arn": "*", - "kms:ViaService": "sso.*.amazonaws.com" + "kms:ViaService": "sso.*.amazonaws.com", + "kms:EncryptionContext:aws:sso:instance-arn": "*" + @@ -498,2 +544,2 @@ KMS key policy statement: - "kms:EncryptionContext:aws:sso:instance-arn": "*", - "kms:ViaService": "sso.*.amazonaws.com" + "kms:ViaService": "sso.*.amazonaws.com", + "kms:EncryptionContext:aws:sso:instance-arn": "*" @@ -603,2 +649,2 @@ If the IAM role was not generated from a permission set, the IAM role will look - "kms:EncryptionContext:aws:sso:instance-arn": "*", - "kms:ViaService": "sso.*.amazonaws.com" + "kms:ViaService": "sso.*.amazonaws.com", + "kms:EncryptionContext:aws:sso:instance-arn": "*" @@ -631,2 +677,2 @@ If the IAM role was not generated from a permission set, the IAM role will look - "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*", - "kms:ViaService": "identitystore.*.amazonaws.com" + "kms:ViaService": "identitystore.*.amazonaws.com", + "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"